Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Account getting locked in Microsoft CAS server, exchange 2013

Posted on 2016-10-04
11
Medium Priority
?
353 Views
Last Modified: 2016-10-11
One account in our domain is getting locked again and again , from active directory  i used three tool to find out the source and all tools show that the workstation is our CAS server .i shut down the client machine and account got locked within half an hour after shutting down. the tool i used are "Account lockout status" , "Netwrix Account lockout Examiner" and "Manage engine ADAudit Plus" also event viewer on AD  is showing the log as below

Kerberos pre-authentication failed.
Account Information:
      Security ID:            MIC\ofekry
      Account Name:            ofekry

Service Information:
      Service Name:            krbtgt/mic

Network Information:
      Client Address:            ::ffff:--.--.--.--    (CAS server Address)
      Client Port:            60818

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
if the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

I also logged in to the CAS server and executed the command in exchange shell and below is the result

[PS] C:\Windows\system32>Get-ActiveSyncDeviceStatistics -Mailbox ofekry
Creating a new session for implicit remoting of "Get-ActiveSyncDeviceStatistics" command...
WARNING: The Get-ActiveSyncDeviceStatistics cmdlet will be removed in a future version of Exchange. Use the
Get-MobileDeviceStatistics cmdlet instead. If you have any scripts that use the Get-ActiveSyncDeviceStatistics cmdlet,
update them to use the Get-MobileDeviceStatistics cmdlet.  For more information, see
http://go.microsoft.com/fwlink/p/?LinkId=254711.


RunspaceId                    : 4a009f23-d25f-4e9c-b867-b8cd83259dbd
DeviceActiveSyncVersion       : 14.1
FirstSyncTime                 : 3/24/2015 11:52:50 AM
LastPolicyUpdateTime          : 11/2/2015 1:58:06 PM
LastSyncAttemptTime           : 9/18/2016 7:09:18 AM
LastSuccessSync               : 9/18/2016 7:09:18 AM
DeviceType                    : iPhone
DeviceID                      : A0BEPH6S8L3IB9LNNUJSK9EBE8
DeviceUserAgent               : Apple-iPhone7C2/1401.403
DeviceWipeSentTime            :
DeviceWipeRequestTime         :
DeviceWipeAckTime             :
LastPingHeartbeat             : 900
RecoveryPassword              : ********
DeviceModel                   : iPhone7C2
DeviceImei                    :
DeviceFriendlyName            : iPhone 6
DeviceOS                      : iOS 10.0.1 14A403
DeviceOSLanguage              : en-KW
DevicePhoneNumber             :
MailboxLogReport              :
DeviceEnableOutboundSMS       : False
DeviceMobileOperator          :
Identity                      : MIC.COM.KW/MICOU/UserAccounts/Standard/Finance/Omar
                                Fekry/ExchangeActiveSyncDevices/iPhone§A0BEPH6S8L3IB9LNNUJSK9EBE8
Guid                          : ce703a7d-dc6c-4d45-be23-49b65e59da7a
IsRemoteWipeSupported         : True
Status                        : DeviceOk
StatusNote                    :
DeviceAccessState             : Allowed
DeviceAccessStateReason       : Global
DeviceAccessControlRule       :
DevicePolicyApplied           : Default
DevicePolicyApplicationStatus : AppliedInFull
LastDeviceWipeRequestor       :
NumberOfFoldersSynced         : 8
SyncStateUpgradeTime          :
ClientType                    : EAS
IsValid                       : True
ObjectState                   : Unchanged

RunspaceId                    : 4a009f23-d25f-4e9c-b867-b8cd83259dbd
DeviceActiveSyncVersion       : 14.1
FirstSyncTime                 : 12/16/2014 1:01:09 PM
LastPolicyUpdateTime          : 12/17/2014 3:31:21 AM
LastSyncAttemptTime           : 3/24/2015 7:36:10 PM
LastSuccessSync               : 3/24/2015 7:36:10 PM
DeviceType                    : SAMSUNGGTI9500
DeviceID                      : SEC12B0DAB3C46E7
DeviceUserAgent               : SAMSUNG-GT-I9500/101.40402
DeviceWipeSentTime            :
DeviceWipeRequestTime         :
DeviceWipeAckTime             :
LastPingHeartbeat             : 470
RecoveryPassword              : ********
DeviceModel                   : GT-I9500
DeviceImei                    : 357138055578543
DeviceFriendlyName            : ja3gxx
DeviceOS                      : Android
DeviceOSLanguage              : English
DevicePhoneNumber             :
MailboxLogReport              :
DeviceEnableOutboundSMS       : False
DeviceMobileOperator          :
Identity                      : MIC.COM.KW/MICOU/UserAccounts/Standard/Finance/Omar
                                Fekry/ExchangeActiveSyncDevices/SAMSUNGGTI9500§SEC12B0DAB3C46E7
Guid                          : f6647896-964a-4bfe-8804-7f84a1832ca3
IsRemoteWipeSupported         : True
Status                        : DeviceOk
StatusNote                    :
DeviceAccessState             : Allowed
DeviceAccessStateReason       : Global
DeviceAccessControlRule       :
DevicePolicyApplied           : Default
DevicePolicyApplicationStatus : AppliedInFull
LastDeviceWipeRequestor       :
NumberOfFoldersSynced         : 7
SyncStateUpgradeTime          : 12/16/2014 1:17:20 PM
ClientType                    : EAS
IsValid                       : True
ObjectState                   : Unchanged


As you can see that the last successful sync was on 18th of last month because i removed the account from his mobile . so the mobile is not the source

So basically i have 2 questions
first question :  Is there a way to find out what is trying to authenticate from exchange, i mean is it a mobile device or a machine with  ms outlook or web access or any other device that require authentication . in short i want to know the type of authentication if possible like type 1 = outlook , type 2 = mobile device , type 3 = webaccess etc etc.
second question : how can i find out the source address of device or machine who is trying to get authenticated from exchange

also note that as i mention above ,the source machine of locked account is Exchange server and not the client machine also i shutdown the client machine and still the account got locked which means that client machine is not initiating authentication request .

Please help me in diagnosing the said account lockout issue.

Regards

Imran.
0
Comment
Question by:Imran Yousaf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 32

Assisted Solution

by:Scott C
Scott C earned 668 total points
ID: 41827954
Yes, I've seen when a user has or has had many mobile devices this can cause this exact issue.

Run this command to see all ActiveSync devices for the user in question:

Get-ActiveSyncDevice -Identity "TonySmith"

See if he has any devices that are associated with his mailbox and have possibly have been forgotten.  Then remove them using:

Remove-ActiveSyncDevice -Identity iPhone_TonySmith -Confirm $true

Note:  Quotes in the first command and none in the second.
1
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 668 total points
ID: 41827998
You could also try to analyze the Exchange logs using Microsoft Log Parser. I don't have command to run and check the logs right now, but I would post them later.

https://technet.microsoft.com/en-gb/scriptcenter/dd919274.aspx

Sudeep
1
 
LVL 8

Assisted Solution

by:Senior IT System Engineer
Senior IT System Engineer earned 664 total points
ID: 41829035
Tr to remove the Exchange email profile from the offending iPhone 7 and then try to establish the connection again.

It will not remove any data, jsut the email profile setting on the phone and re-establishing the ActiveSync connection.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:Imran Yousaf
ID: 41829254
Dear ScottCha,

I ran the command and couldn't find any result . below is the output

[PS] C:\Windows\system32>Get-ActiveSyncDevice -Identity "ofekry"
The mobile device ofekry cannot be found.
    + CategoryInfo          : NotSpecified: (:) [Get-ActiveSyncDevice], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=EXCHANGENODE2,RequestId=68c23e74-4dbd-438f-82ea-2d87b321ba68,TimeStamp=10/5/2016
    5:36:55 AM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 6B80FCB3,Microsoft.Exchange.Management.Tas
  ks.GetActiveSyncDevice
    + PSComputerName        : miccas01.mic.com.kw

[PS] C:\Windows\system32>
0
 

Author Comment

by:Imran Yousaf
ID: 41829256
Dear Sudeep Sharma,

I will download  the log parser now and will share my findings
0
 

Author Comment

by:Imran Yousaf
ID: 41829258
@ ITSystemEngineer

I will remove the email profile and inform you once done
0
 

Accepted Solution

by:
Imran Yousaf earned 0 total points
ID: 41831462
Thanks guys for all your support . my issue is solved . actually i missed one important point. i mentioned that in event viewer of AD server i can see that the authentication request was coming from exchange CAS server  but i missed to check the event viewer of CAS server.

Network Information:
      Client Address:            ::ffff:--.--.--.--    (CAS server Address)
      Client Port:            60818

In the CAS server i saw that the request is coming from a network ip somewhere from another country . after checking with employee he remembered that he configured his email there when he was on vocation . ......   anyway thanks again for all your support and below is the log from event viewer from CAS server

event id = 4625

An account failed to log on
Logon ID:            0x3E7
Logon Type:                  8
Account For Which Logon Failed:
Security ID:            NULL SID
Account Name:            Ofekry
Account Domain:            mic
Failure Information:
Failure Reason:            Unknown user name or bad password.
Status:                  0xC000006D
Sub Status:            0xC000006A
Process Information:
Caller Process ID:      0x1e0c
Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:

Workstation Name:      MICCAS01
Source Network Address:      105.195.47.223
Source Port:            54909
0
 

Author Comment

by:Imran Yousaf
ID: 41831466
open for questions
0
 
LVL 32

Expert Comment

by:Scott C
ID: 41831476
So it was another device as I thought....just not a mobile device.  Glad it"s resolved.

Saved his password on a public machine...  Will users never learn?
0
 

Author Closing Comment

by:Imran Yousaf
ID: 41838091
already provided
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question